Merge branch 'ce-jej/fix-git-http-with-sso-enforcement' into 'master'
Avoid setting Gitlab::Session on sessionless requests and Git HTTP See merge request gitlab-org/gitlab-ce!29146
This commit is contained in:
commit
055c160be1
|
@ -440,6 +440,8 @@ class ApplicationController < ActionController::Base
|
||||||
end
|
end
|
||||||
|
|
||||||
def set_session_storage(&block)
|
def set_session_storage(&block)
|
||||||
|
return yield if sessionless_user?
|
||||||
|
|
||||||
Gitlab::Session.with_session(session, &block)
|
Gitlab::Session.with_session(session, &block)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
|
||||||
alias_method :authenticated_user, :actor
|
alias_method :authenticated_user, :actor
|
||||||
|
|
||||||
# Git clients will not know what authenticity token to send along
|
# Git clients will not know what authenticity token to send along
|
||||||
|
skip_around_action :set_session_storage
|
||||||
skip_before_action :verify_authenticity_token
|
skip_before_action :verify_authenticity_token
|
||||||
skip_before_action :repository
|
skip_before_action :repository
|
||||||
before_action :authenticate_user
|
before_action :authenticate_user
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Avoid setting Gitlab::Session on sessionless requests and Git HTTP
|
||||||
|
merge_request: 29146
|
||||||
|
author:
|
||||||
|
type: fixed
|
|
@ -691,4 +691,38 @@ describe ApplicationController do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'Gitlab::Session' do
|
||||||
|
controller(described_class) do
|
||||||
|
prepend_before_action do
|
||||||
|
authenticate_sessionless_user!(:rss)
|
||||||
|
end
|
||||||
|
|
||||||
|
def index
|
||||||
|
if Gitlab::Session.current
|
||||||
|
head :created
|
||||||
|
else
|
||||||
|
head :not_found
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'is set on web requests' do
|
||||||
|
sign_in(user)
|
||||||
|
|
||||||
|
get :index
|
||||||
|
|
||||||
|
expect(response).to have_gitlab_http_status(:created)
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with sessionless user' do
|
||||||
|
it 'is not set' do
|
||||||
|
personal_access_token = create(:personal_access_token, user: user)
|
||||||
|
|
||||||
|
get :index, format: :atom, params: { private_token: personal_access_token.token }
|
||||||
|
|
||||||
|
expect(response).to have_gitlab_http_status(:not_found)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue